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DETAILED ACTION 

In view of the Appeal Brief filed on 1 1/13/07, PROSECUTION IS HEREBY REOPENED. A new ground of 
rejection is set forth below. 

To avoid abandonment of the application, appellant must exercise one of the following two options: 

(1) file a reply under 37 CFR 1.111 (if this Office action is non-final) or a reply under 37 CFR 1.113 (if this 
Office action is final); or, 

(2) initiate a new appeal by filing a notice of appeal under 37 CFR 41.31 followed by an appeal brief 
under 37 CFR 41.37. The previously paid notice of appeal fee and appeal brief fee can be applied to the 
new appeal. If, however, the appeal fees set forth in 37 CFR 41.20 have been increased since they were 
previously paid, then appellant must pay the difference between the increased fees and the amount 
previously paid. 

A Supervisory Patent Examiner (SPE) has approved of reopening prosecution by signing below: 

Response to Arguments 

Applicant's arguments, see appeal brief pages 9-11, filed 1 1/13/07, with respect to the rejection(s) of 
claim(s) 1-8, 10-16, 18 under 35 USC 102(e) have been fully considered and are persuasive. Therefore, 
the rejection has been withdrawn. However, upon further consideration, a new ground(s) of rejection is 
made in view of Li. 

Claim Rejections - 35 USC §112 

The following is a quotation of the second paragraph of 35 U.S.C. 112: 

The specification shall conclude with one or more claims particularly pointing out and distinctly 
claiming the subject matter which the applicant regards as his invention. 

1. Claims 1,10, and 18 are rejected under 35 U.S.C. 112, second paragraph, as being indefinite for 
failing to particularly point out and distinctly claim the subject matter which applicant regards as the 
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invention. Said claims recite the limitation, "non-security policy". Applicant's specification does not 
provide adequate support or any definition of what a non-security policy may entail. While, paragraph 19 
of applicant's specification defines examples of several different policies, it does not define which are 
security policies and which are non-security policies. Said paragraph further cites that policy definitions 
other than those listed may be used. For purposes of examination, examiner interprets tracking and 
monitoring information as a non-security policy. Appropriate correction is required. 



Claim Rejections - 35 USC § 102 

The following is a quotation of the appropriate paragraphs of 35 U.S.C. 1 02 that form 
the basis for the rejections under this section made in this Office action: 
A person shall be entitled to a patent unless - 

(e) the invention was described in (1) an application for patent, published under section 122(b), by 
another filed in the United States before the invention by the applicant for patent or (2) a patent 
granted on an application for patent by another filed in the United States before the invention by the 
applicant for patent, except that an international application filed under the treaty defined in section 
351(a) shall have the effects for purposes of this subsection of an application filed in the United States 
only if the international application designated the United States and was published under Article 21(2) 
of such treaty in the English language. 

Claims 1-8, and 10-16 are rejected under 35 U.S.C. 102(e) as being anticipated by Li et 
al., US PGP No. 20040193912, hereinafter Li. 
As per claims 1,10, and 18, Li teaches: 

A system for implementing a policy in a network, said system comprising: 

a plurality of device-agnostic policy implementation, in which the device-agnostic policy implementations 

include non-security policy implementations; 

[see paragraph 26] "Security policies are centrally stored in a policy repository. The data format 
of the security policies is in an intermediate format that is translated to formats that can be 
consumed and enforced on each of the security-enabled devices of the network." 

[see paragraph 30] "a centralized policy feedback application or a policy feedback point module 
monitors and tracks the security threat information or event information. " 
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Examiner is interpreting the monitoring and tracking of information as a "non-security policy 
implementation". This information may or may not be security related information but the type of 
information being monitored or tracked is irrelevant The action of monitoring or tracking is 
viewed as non-security policy implementation, not the actual information being monitored or 
tracked. 



a plurality of network devices, at least two of said devices being dissimilar; and 

[see paragraph 27] "Security-enabled devices are any processing devices capable of enforcing 
security policies, such as, but not limited to, routers, network hubs, network bridges, switches, 
gateways, clients, servers, stand alone intelligent appliances, computing peripherals, and the 
like." 



a plurality of device translators, each device translator corresponding to a respective one of said plurality 
of network devices and one of said plurality of device-agnostic policy implementations, at least two of said 
device translators being dissimilar, each of said plurality of device translators translating said device- 
agnostic policy implementation into corresponding device-specific implementations. 

[see paragraph 28] "One or more policy decision translators interact with the policy repository to 
acquire, distribute, or push security policies to the appropriate security-enabled devices over the 
network. The policy decision translators include logic to convert the intermediate data format of 
the security policies to needed data formats that can be used by each of the security-enabled 
devices. 



As per claims 2 and 13, Li teaches: 

The system according to claim 1, wherein said device-agnostic policy implementation is selected from the 
group consisting of firewall, Virtual Private Network, Java 2 Enterprise Edition Application, and custom 
operating system. 

[see paragraph 20] "A PEP 113 can be an application or a device, such as a server, firewall, 
router, or any other computing device accessible over the network." 



As per claims 3 and 14, Li teaches: 

The system according to claim 1, wherein said device-agnostic policy implementation implements a policy 

selected from the group consisting of access control, quality of service, backup, and availability. 

[see paragraph 21] "The PFP 120 includes integrated feedback information obtained from 
intrusion detection systems (IDS), vulnerability scanners, and the like, which can all be PEPs 
themselves." 
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Intrusion detection systems perform functions of access control. 
As per claims 4 and 12, Li teaches: 

The system according to claim 1 , wherein said device translators are represented by Extensible 

Stylesheet Language (XSL) code. 

[see paragraph 1 7] "the policy translators are implemented as Extensible Style Sheet Language 
Transformation (XSLT) applications" 

As per claims 5 and 11, Li teaches: 

The system according to claim 1, wherein said device-agnostic policy implementation is Extensible 

Markup Language (XML) code. 

[see paragraph 17] "The policy translators are implemented as Extensible Style Sheet Language 
Transformation (XSLT) applications, which use one or more Extensible Style Sheets (XSL) to 
render the security policies represented as XML in the policy repository. " 

As per claims 6, Li teaches: 

The system according to claim 3, wherein said policy is represented by Extensible Markup Language 
(XML) code. 

[see paragraph 14] "The security policies are stored in a relational database in a native Extensible 
Markup Language (XML) format" 

As per claims 7 and 15, Li teaches: 

The system according to claim 1, wherein the device-specific implementation is represented by Command 

Line Interface (CLI) code. 

[see paragraph 21] "Pieces of the PFP can communicate in IDMEF, SNMP, or any other CLI or 
protocol required by a security-enabled device within the network. " 

As per claims 8 and 16, Li teaches: 
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The system according to claim 1, wherein the device-specific implementation is represented by 

Application Programming Interface (API) code. 

[see paragraph 30] "Different components of the PFP are designed to communicate with the 
CLIs, APIs, and/or protocols recognized by specific security-enabled device applications." 

Claim Rejections - 35 USC § 103 

The following is a quotation of 35 U.S.C. 103(a) which forms the basis for all 
obviousness rejections set forth in this Office action: 

(a) A patent may not be obtained though the invention is not identically disclosed or described as set 
forth in section 102 of this title, if the differences between the subject matter sought to be patented and 
the prior art are such that the subject matter as a whole would have been obvious at the time the 
invention was made to a person having ordinary skill in the art to which said subject matter pertains. 
Patentability shall not be negatived by the manner in which the invention was made. 

Claims 9 and 17 are rejected under 35 U.S.C. 103(a) as being unpatentable over Li as 

applied to claim 1 above, and further in view of Young, US PGP No. 20050160361. 

As per claims 9 and 17, 

The Li reference has been discussed above. Li does not expressly teach: 

The system according to claim 1, wherein the device-specific implementation is represented by 
Java code. 
Young teaches: 

[see paragraph 57] "adaptation can be invoked via different programmatic paradigms (e.g., API, 
CLI) and can be invoked on a variety of different platforms including, but not limited to, a JAVA 
platform, an XML platform, a COM platform and an ODBC platform. " 

Java is a general purpose high level programming language with a number of features that make 
the language well suited for use in the World Wide Web. It would be obvious to one of ordinary skill in the 
art which the subject pertains at the time of the invention to modify the Li reference to incorporate Java 
code in order to enable a common security policy configuration across heterogeneous enterprise 
networks. 
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POINTS OF CONTACT 



Any response to this Office Action should be faxed to (571) 273-8300 or mailed to: 

Commissioner for Patents 
P.O. Box 1450 
Alexandria, VA 22313-1450 

Hand-delivered responses should be brought to 



*. Any inquiry concerning this communication or earlier communications from the examiner should 
be directed to Daniel L. Hoang whose telephone number is 571-270-1019. The examiner can normally 
be reached on Monday - Thursday, 8:00 a.m. - 5:00 p.m., EST. 

If attempts to reach the examiner by telephone are unsuccessful, the examiner's supervisor, 
Nasser Moazzami can be reached on 571-272-4195. The fax phone number for the organization where 
this application or proceeding is assigned is 571-273-8300. 

. Information regarding the status of an application may be obtained from the Patent Application 
Information Retrieval (PAIR) system. Status information for published applications may be obtained from 
either Private PAIR or Public PAIR. Status information for unpublished applications is available through 
Private PAIR only. For more information about the PAIR system, see http://pair-direct.uspto.gov. Should 
you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) 
at 866-217-9197 (toll-free). 
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